Former Hopkins grad students' personal data exposed online

Pamela Wood, The Baltimore Sun

More than 2,000 Social Security numbers of former Johns Hopkins University graduate students were exposed to potential hackers, the university confirmed Saturday.

Hopkins officials discovered on March 19 that the names and Social Security numbers of 2,166 former students were stored on a server that was accessible to the Internet, said Dennis O'Shea, a university spokesman.

"Somebody had stashed them on a machine, not realizing that when they did that, the files would be accessible on the Internet," O'Shea said.

The records were intended to be used internally, he said. They belonged to people who were graduate students at the Homewood campus from 2007 to 2009.

The university does not believe the names and numbers were accessed by anyone with malicious intent. Logs show, however, that the records were accessed a few dozen times, possibly by search engines or web crawlers, O'Shea said.

As soon as the problem was discovered, the files were taken offline. A security audit showed no other records were inadvertently posted online, O'Shea said.

The university sent letters to affected students this week and is offering one year of free credit monitoring and identity protection.

Employees will be trained to make sure the error is not repeated, O'Shea said.

This is the second time in recent months that Hopkins has had concerns about the security of student data.

Earlier in March, someone claiming to be with the hacker group Anonymous posted online the names, email addresses and phone numbers of 848 current and former biomedical engineering students at Johns Hopkins. The information did not include Social Security numbers or credit card numbers.

The hacker was attempting to extort the university to gain server passwords, which the university said it did not turn over.

The University of Maryland, College Park has had two data breaches in recent months. First, hackers obtained names, Social Security numbers and other private information for 287,580 students, alumni, faculty and staff. Then, a former university contract worker took administrators' personal information and posted it online in what he said was a whistleblower attempt to draw attention to security flaws.

O'Shea said that identify theft and data security is a concern for universities.

"In general, we do a very fine job of fending off those attacks," he said. "This was a situation where someone inadvertently left information exposed where it shouldn't have been."